diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0b1df036..40b6dfd6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,11 @@ on: schedule: - cron: "0 6 * * 1" # weekly, Monday 6 AM UTC +# Workflow-level default — least privilege. The analyze job elevates +# security-events to write for the CodeQL upload step. +permissions: + contents: read + jobs: analyze: name: Analyze Go diff --git a/.github/workflows/notify-canary.yml b/.github/workflows/notify-canary.yml index 2852676b..833c5a32 100644 --- a/.github/workflows/notify-canary.yml +++ b/.github/workflows/notify-canary.yml @@ -24,6 +24,11 @@ on: pull_request: branches: ['**'] +# Workflow-level default — least privilege. This workflow only reads +# the repo and dispatches an external event using its own PAT secret. +permissions: + contents: read + jobs: dispatch: runs-on: ubuntu-latest